Incident Management Policy

1. Purpose

This policy has been established to ensure that information security incidents within Runitas Bilişim Teknoloji A.Ş. are managed in a rapid, effective, and standards-compliant manner. The purpose of the policy is to protect information assets, minimize potential damage, and ensure compliance with legal regulations.

2. Scope

This policy applies to all employees, external service providers, contractors, and information systems of Runitas Bilişim Teknoloji A.Ş. The policy covers all types of information security incidents, such as data breaches, system outages, malware attacks, and unauthorized access.

3. Definitions

Information Security Incident: Any event that threatens the confidentiality, integrity, or availability of information assets.
Incident Management: The set of activities involving the detection, assessment, management, and reporting of information security incidents.

4. Policies
   4.1. Incident Management Process

Detection: All employees and relevant parties must immediately report any detected information security incident to the Information Security Team.
Assessment: The scope, impact, and priority level of the incident are evaluated.
Response: Necessary actions are taken to minimize the impact of the incident and to resolve it.
Recording and Monitoring: All incidents are recorded in detail and monitored throughout the resolution process.

4.2. Roles and Responsibilities

Information Security Team: Responsible for managing, analyzing, and resolving incidents.
Employees: Responsible for detecting incidents and reporting them in a timely manner.
Senior Management: Responsible for supporting the implementation of the policy and providing necessary resources.

4.3. Notification and Reporting

Incidents must be reported to relevant authorities in accordance with national and international legal regulations.
Personal data breaches must be reported to the relevant authorities within 72 hours in compliance with KVKK and GDPR requirements.

4.4. Training and Awareness

Employees receive regular training on information security incident management and awareness.

4.5. Continuous Improvement

Every incident is considered an opportunity to review and improve existing processes and policies.

5. Compliance and Legal Requirements

This policy has been prepared in accordance with the Turkish Personal Data Protection Law No. 6698 (KVKK), the European Union General Data Protection Regulation (GDPR), and other international information security standards.

6. Sanctions

If the policies related to the management of information security incidents are not followed, the company's disciplinary procedures will be initiated. Legal processes may also be launched when necessary.

7. Review and Update

This policy is reviewed annually or as needed. Updates are made in line with legal regulations and information security standards.